SANS Digital Forensics and Incident Response Blog

Facebook Forensics

by Jeff Bryner

Like most, I recently read the story of the EMT who posted a grisly picture to Facebook via his mobile phone. This got me thinking about social network forensics. I just happened to have joined Facebook (am I the last one?) and being of forensic mind... this post.

The issue that brings forensics into the case? The claim is that his post is by accident and was unintentional.

Now Facebook has a long history of privacy misunderstandings, and being a brand new user I can attest that it's nearly impossible at first glance to determine the privacy of the items you post. Is my looking at a potential 'friend' going to trigger an alert to them? If I look at their photos to see if I remember them does that alert my entire universe? What the heck is a poke?

Here's what I discovered about the current process to post a photo on Facebook using my own Symbian phone.

First you must register your mobile phone number on Facebook, so subsequent messages from you show up on your account. You do this by sending a MMS message to, and receiving a confirmation text message from Facebook (32665/fbook on the keypad). This results in a status change on your Facebook account "Jeff activated Facebook Mobile."

After registering, sending a picture to via a MMS message creates a 'mobile uploads' photo album with a time-stamp. The subject of the MMS message becomes the picture caption and the picture is added to the album.

Normally, new albums you create are automatically shared to everyone. The auto-created 'mobile uploads' photo album however, wasn't automatically shared to anyone. Even friends can't see the album, much less any pictures within it. To share you either need to post it on your 'wall' or change the privacy settings of the album via the path: Facebook->Profile->Photos->Album Privacy.

So given this process what would we look for in forensics to help determine if this was indeed an accident?

  1. Was he registered to use his mobile account on Facebook prior to the date in question?
  2. If not, then he would have had to go to extraordinary lengths to register, upload a picture and share it to the world.

  3. Was his 'mobile uploads' album shared prior to this event?
  4. If not, then again he would have had to explicitly share it. If it was shared prior to this event then any picture sent from his mobile would be public.

  5. Are there other pictures on his mobile?
  6. If not, then taking one is in itself a unique event. If there are other pictures on his mobile are the names similar? Could there be reasonable confusion about which photo is what?

  7. Was there some other event happening that initiated the send?
  8. It's not clear whether the photo was sent during the emergency response, or after. If it was sent during the response it would seem extraordinary to take the time out of your duties to send a photo. Then again, was there some other personal event occurring in his life that warranted a quick time-out to send a photo like a child's birthday earlier in the day, etc? If it was sent as a batch of photos during say a weekly upload to Facebook, then it may be part of his routine.

  9. Is the process of uploading pictures using a Symbian as I've done different than using a Samsung, or iPhone, or Blackberry, or Windows Mobile?
  10. Is the process for today's mobile pictures the same as when this event occurred?

It would seem that to properly answer the claim of 'accident' a forensic analysis of the time line and the details of his personal technology in conjunction with a review of his routine on Facebook would be in order.

With the explosion of social networking sites is there a need for a new forensic framework? One not so much focused on recovering deleted files or operating system artifacts, but centering on:

  • Determining the strength of relationships
  • Analyzing the intent of actions given the pattern of use on a social networking site
  • Determining the likelihood of observable events being related
  • Uncovering past relationships
  • Archiving site privacy settings/policies
  • Forensic patterns of intra-social networking applications?

What do you think? Comments?

Jeff Bryner , GCFA Gold #137, also holds the CISSP and GCIH certifications, occasionally teaches for SANS and performs forensics, intrusion analysis, and security architecture work on a daily basis.


Posted June 10, 2009 at 2:20 PM | Permalink | Reply


You raise some very good points regarding intent and I like the outline you've given.
I'm confused, however, about why he was taking pictures with his personal phone to begin with. I think that should trump any question of an accident since he has taken a photo that he shouldn't have with his personal phone'' Even if he didn't mean to post it to facebook, should he have the picture in his possession?
''or maybe I'm wrong here''

Posted June 10, 2009 at 3:13 PM | Permalink | Reply

Steve Boyko

I think you mean "grisly", not "grizzly", unless the EMT posted a photo of a bear.

Posted June 10, 2009 at 5:01 PM | Permalink | Reply


Grisly it is, thanks spell checker!

Posted June 10, 2009 at 5:14 PM | Permalink | Reply


@gleeda: you raise a good point, the acceptable-use policy and ownership of the device are definitely something that should be firmly established. I've not seen clarity whether the phone was personal or work issued, have you?

Posted June 10, 2009 at 7:24 PM | Permalink | Reply


@jeffbryner: Hmm'' I guess it doesn't really say whether it was his personal or work phone just "his" phone in the second article. I guess I just took "his phone" as "his personal phone".
However, even if it is his work phone, isn't it questionable to use your work phone for personal social networking? Though I can understand that his employer may not have officially had a policy against it'' But like you said, it would really depend on what his employer's policy is in that case.

Posted June 11, 2009 at 3:43 PM | Permalink | Reply

Joe Garcia

I tested this on the iPhone using the official Facebook app. I did not register my phone number with Facebook Mobile, nor did I create any photo albums on the test account prior to this test. Here are my findings:
''" Upon opening the Facebook app, at the top right corner there is a camera icon. Tap it and it gives 3 choices: Take Photo, Choose Existing Photo or Cancel
''" Choosing Take Photo opens the camera. Once you take a picture 2 options appear: Retake and Use Photo. Once you tap Use Photo, it gives you the option to Write a Caption. Whether or not you type a caption, you can tap the green Upload button on the lower left side of the screen. The photo is then posted to your account.
''" Choosing to use an existing photo brings you to your iPhone's photo library. Once you choose a photo, it gives you the option to tag the photo, as well as write a caption. Once done, you tap the green Upload button and it is posted to your account.
''" Checking the Facebook account, the photo appears in the account Newsfeed. Also, a new album was created named "Mobile Uploads" and the photo has "Uploaded via Facebook Mobile" listed underneath it. The album was also created as a shared album upon creation, viewable by the account's "friends".
''" Posting over WiFi was instant and over EDGE had a slight delay (obviously), but once the above process was completed the photo was listed in the newsfeed immediately. Both of the above ways to post a photo using the iPhone Facebook app are a 5 step process at minimum.
It is my opinion that there could be no "accidental" posting of a photo to a Facebook account when doing so from an iPhone.

Posted June 11, 2009 at 8:39 PM | Permalink | Reply


@Joe: Awesome, thanks for the iPhone/Facebook process documentation. I'm convinced that this type of process/current state knowledge is going to become crucial in cases involving social networking especially where a variety of devices, media and locations can be involved.
Curious that you didn't have to register. Is that done on install of the Facebook app?

Posted June 12, 2009 at 3:19 AM | Permalink | Reply

Joe Garcia

@jeffbryner: After you've downloaded and installed the Facebook app to your iPhone, all you need to do is just enter your login credentials the first time you start it and it will login to your account. Unless you logout, it will keep logging in automatically every time you start the app. If you did logout after each use of the app, that would add a sixth step (first step actually) of logging in to post a photo to your account.